Responsible Disclosure Program

A guide for ethical hackers and customers who want to report security vulnerabilities in our products

 

Introduction

Ideagen is a software company that values the security and privacy of our customers and users. We appreciate the efforts of ethical hackers who help us improve our products by finding and reporting security vulnerabilities. We want to encourage and reward such responsible disclosures, while protecting our business and legal interests.

This document describes our responsible disclosure program, which is a set of guidelines and expectations for ethical hackers who want to report security vulnerabilities in our products. This program does not offer any monetary rewards or bug bounties, but we will acknowledge and thank the reporters publicly, once the reported issues has been fixed, which will be as soon as possible.

 

Scope

Our responsible disclosure program covers the following products and services:

• Our website, www.ideagen.com as well as all subsidiaries
• Our mobile applications, available on iOS and Android platforms
• Our desktop applications, available on Windows, Mac, and Linux platforms
• Our cloud services, accessible via APIs or web interfaces

The following products and services are out of scope for our responsible disclosure program:

• Any third-party products or services that we use or integrate with, such as payment processors, analytics providers, or hosting providers
• Any products or services that are under development, testing, or beta stages, or that are not publicly available or accessible
• Any products or services that are not owned or operated by us, such as our partners, affiliates, or customers

 

Guidelines

If you are an ethical hacker or customer who wants to report a security vulnerability in our products or services, please follow these guidelines:

• Do not attempt to access, modify, or delete any data that does not belong to you, or that you do not have explicit permission to access, modify, or delete
• Do not attempt to disrupt, degrade, or damage the availability, performance, or functionality of our products or services, or any other systems or networks that we use or rely on
• Do not attempt to exploit the vulnerability for personal gain, malicious intent, or any other unlawful or unethical purpose
• Do not disclose the vulnerability to anyone else, or to the public, before notifying us and receiving our confirmation and permission
• Do not use any automated tools, scanners, or scripts that may generate excessive traffic, requests, or errors, or that may interfere with our normal operations
• Do use a valid and verifiable email address to contact us, and provide us with clear and detailed information about the vulnerability, such as the product or service affected, the steps to reproduce the issue, the potential impact and risk, and any proof-of-concept or screenshots

 

Attack limitations

• Attacks that require social engineering/phishing
• Attacks that require physical access to the user's device
• Content spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.
• Self XSS or XSS that affects only out-of-date browsers.
• Denial of Service (DoS) Attacks.
• Lack of MFA
• Accessible non-sensitive files and directories (e.g. README.TXT, CHANGES.TXT, robots.txt, .gitignore, etc).
• TLS/SSL Issues, including BEAST, BREACH, insecure renegotiation, bad cipher suite, expired certificates, etc.

 

Reporting

If you have found a security vulnerability in our products or services, and you have followed the above guidelines, please report it to us as soon as possible by sending an email to disclosure@ideagen.com. We will respond to your report within 2 business days, and we will keep you updated on the status and progress of our investigation and remediation.

We will not take any legal action against you, or report you to law enforcement authorities, as long as you comply with our responsible disclosure program and act in good faith. However, we reserve the right to take any appropriate actions against anyone who violates our program or abuses our products or services.

 

Acknowledgement

We appreciate and value the contributions of ethical hackers who help us improve the security of our products and services. We will publicly acknowledge and thank the reporters of unacknowledged valid and verified security vulnerabilities on our website, and on our social media channels, unless they prefer to remain anonymous or confidential.

We will also provide the reporters with a certificate of appreciation.

 

Acknowledged Vulnerability Examples

Examples of acknowledged vulnerabilities, this list is not exhaustive but rather gives examples of:

• HTTP Header misconfigurations
• Version Disclosure (Leaked via HTTP Headers)
• Cookie misconfigurations (Secure, HttpOnly, SameSite)
• Email Address Disclosure
• Outdated frameworks & plugins

 

Contact

If you have any questions, comments, or feedback about our responsible disclosure program, please feel free to contact us at disclosure@ideagen.com. We look forward to hearing from you and working with you to make our products and services more secure and reliable.